From 78811c50021202cb2374ceeb9edf0fdac5c66398 Mon Sep 17 00:00:00 2001 From: radhikap Date: Fri, 7 Jun 2013 16:44:02 +0530 Subject: [PATCH 1/2] CLOUDSTACK-2404 more conceptual info --- docs/en-US/pvlan.xml | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/docs/en-US/pvlan.xml b/docs/en-US/pvlan.xml index 96c1a78a85d..5084ec411da 100644 --- a/docs/en-US/pvlan.xml +++ b/docs/en-US/pvlan.xml @@ -22,15 +22,37 @@
Isolation in Advanced Zone Using Private VLAN + + + isolate VMs from other VMs on the same network (Shared Networks are the most common use + case) using PVLANs + + + create a Network Offering enabling PVLAN support + + + create shared networks based on a network offering which has PVLANs enabled + + + supported in VPC as well as non-VPC deployments + + + supported on all Hypervisors + + + Allow end users to deploy VMs on Isolated Networks or VPC along with the Shared Networks + that have PVLAN support + +
About Private VLAN - In an Ethernet switch, a VLAN is a broadcast domain in which hosts can establish direct + In an Ethernet switch, a VLAN is a broadcast domain where hosts can establish direct communication with each another at Layer 2. Private VLAN is designed as an extension of VLAN standard to add further segmentation of the logical broadcast domain. A regular VLAN is a single broadcast domain, whereas a private VLAN partitions a larger VLAN broadcast domain into smaller sub-domains. A sub-domain is represented by a pair of VLANs: a Primary VLAN and a - Secondary VLAN. The original VLAN that is being divided into smaller groups is called - Primary, That implies all VLAN pairs in a private VLAN share the same Primary VLAN. All the + Secondary VLAN. The original VLAN that is being divided into smaller groups is called Primary, + which implies that all VLAN pairs in a private VLAN share the same Primary VLAN. All the secondary VLANs exist only inside the Primary. Each Secondary VLAN has a specific VLAN ID associated to it, which differentiates one sub-domain from another. For further reading: @@ -50,6 +72,9 @@
+
+ Prerequisites +
Prerequisites Ensure that you configure private VLAN on your physical switches out-of-band. From 840e14de0b322013a496f62958889383f9ccc1e3 Mon Sep 17 00:00:00 2001 From: radhikap Date: Mon, 10 Jun 2013 17:56:27 +0530 Subject: [PATCH 2/2] pvlan --- docs/en-US/pvlan.xml | 117 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 99 insertions(+), 18 deletions(-) diff --git a/docs/en-US/pvlan.xml b/docs/en-US/pvlan.xml index 5084ec411da..e3f2ea3ace7 100644 --- a/docs/en-US/pvlan.xml +++ b/docs/en-US/pvlan.xml @@ -21,27 +21,25 @@ -->
Isolation in Advanced Zone Using Private VLAN - + Isolation of guest traffic in shared networks can be achieved by using Private VLANs + (PVLAN). PVLANs provide Layer 2 isolation between ports within the same VLAN. In a PVLAN-enabled + shared network, a user VM cannot reach other user VM though they can reach the DHCP server and + gateway, this would in turn allow users to control traffic within a network and help them deploy + multiple applications without communication between application as well as prevent communication + with other users’ VMs. - isolate VMs from other VMs on the same network (Shared Networks are the most common use - case) using PVLANs + Isolate VMs in a shared networks by using Private VLANs. - create a Network Offering enabling PVLAN support + Supported in both VPC and non-VPC deployments. - create shared networks based on a network offering which has PVLANs enabled + Supported on all hypervisors. - supported in VPC as well as non-VPC deployments - - - supported on all Hypervisors - - - Allow end users to deploy VMs on Isolated Networks or VPC along with the Shared Networks - that have PVLAN support + Allow end users to deploy VMs in an isolated networks, or a VPC, or a Private + VLAN-enabled shared network.
@@ -54,7 +52,38 @@ Secondary VLAN. The original VLAN that is being divided into smaller groups is called Primary, which implies that all VLAN pairs in a private VLAN share the same Primary VLAN. All the secondary VLANs exist only inside the Primary. Each Secondary VLAN has a specific VLAN ID - associated to it, which differentiates one sub-domain from another. + associated to it, which differentiates one sub-domain from another. + Three types of ports exist in a private VLAN domain, which essentially determine the + behaviour of the participating hosts. Each ports will have its own unique set of rules, which + regulate a connected host's ability to communicate with other connected host within the same + private VLAN domain. Configure each host that is part of a PVLAN pair can be by using one of + these three port designation: + + + Promiscuous: A promiscuous port can communicate with + all the interfaces, including the community and isolated host ports that belong to the + secondary VLANs. In Promiscuous mode, hosts are connected to promiscuous ports and are + able to communicate directly with resources on both primary and secondary VLAN. Routers, + DHCP servers, and other trusted devices are typically attached to promiscuous + ports. + + + Isolated VLANs: The ports within an isolated VLAN + cannot communicate with each other at the layer-2 level. The hosts that are connected to + Isolated ports can directly communicate only with the Promiscuous resources. If your + customer device needs to have access only to a gateway router, attach it to an isolated + port. + + + Community VLANs: The ports within a community VLAN + can communicate with each other and with the promiscuous ports, but they cannot + communicate with the ports in other communities at the layer-2 level. In a Community mode, + direct communication is permitted only with the hosts in the same community and those that + are connected to the Primary PVLAN in promiscuous mode. If your customer has two devices + that need to be isolated from other customers' devices, but to be able to communicate + among themselves, deploy them in community ports. + + For further reading: @@ -72,11 +101,63 @@
-
- Prerequisites -
Prerequisites - Ensure that you configure private VLAN on your physical switches out-of-band. + + + Use a PVLAN supported switch. + See Private VLAN Catalyst Switch Support Matrixfor more information. + + + Connect a switch to the gateway; connect additional switches to the gateway via a + trunk port: Only Cisco Catalyst 4500 has the PVLAN promiscuous trunk mode to connect both + normal VLAN and PVLAN to a PVLAN-unaware switch. For other Catalyst PVLAN support switch, + connect the switch to upper switch by using cables. The number of cables should be greater + than the number of PVLANs used. + + + All the layer 2 switches, which are PVLAN-aware, are connected to each other, and one + of them is connected to a router. All the ports connected to the host would be configured + in trunk mode. Allow Management VLAN, Primary VLAN (public) and secondary Isolated VLAN + ports. Configure the switch port connected to the router in PVLAN promiscuous trunk mode, + which would translate an isolated VLAN to primary VLAN for router, which is PVLAN-unaware. + + + + If your Catalyst switch supports PVLAN, but not PVLAN promiscuous trunk mode, perform + the following: + + + Configure one of the switch port as trunk for management network (management + VLAN). + + + For each PVLAN, perform the following: + + + Connect one port of the Catalyst switch to the upper switch. + + + Set the port in the Catalyst Switch in promiscuous mode for one pair of + PVLAN + + + Set the port in upper switch to access mode, and allow only the traffic of + primary VLAN of the PVLAN pair. + + + + + + + Configure private VLAN on your physical switches out-of-band. + + +
+
+ + <para/> </section> </section>